Hi Jorge

The access-list is used to match traffic for NAT so you don't need to apply it to the interface do you ?

Jose

What is the source ip address and what is the destination address.

Is the destination address reached out of vlan 7.

Have you tried a "debug ip nat". Obviously you need to be careful with any debugging if this is a production switch.

Jon

This is correct john what was I thinking! there is not statics . thanks for correcting..

I just labed this out , the configuration from Jose seems fine, I agree with John " debug IP nat " ..

Jorge

I have a PC with the IP 10.2.100.55 connects to vlan 14. I want to ping a host outside from my network, using the IPs in vlan 7, that have connection to outside (Internet, for example).

I activate the command debug ip nat, but don't appear anything in console.

Can you help me with any suggestion?

Thanks again for your help.

Jose

Jose, if you have a local console connection onto the router issue the following:

router(config)#logging buffered debugging

router(config)#logging console

router(config)#exit

router#terminal monitor

turn on ip nat debugging and try connecting to host 10.2.100.55 on vlan 14 , you should be able to see debugging output on the local console connection.

to turn off debugging issue " no debug all ". As in any debugging configuration use these commands with caution, best to use during non-business hours .

Jorge

Jorge

Nothing about NAT appears in console, but there are other messages that I can see in console.

It seems that the router don't recognize the commands about NAT.

Have you some idea?

Thanks in advanced.

Jose

Jose, could you in addition of ip nat debug do icmp as well "debugg ip icmp " and try pinging host again.., have you ensured that host on vlan 14 does not have any firewalls turned on ..

post any output debug results .

[edit] can you also verify interface vlan14 is up/up do " show ip interface brief "

Jorge

Jorge,

I did this:

#debug ip nat

IP NAT debugging is on

#debug ip icmp

ICMP packet debugging is on

#terminal monitor

#show ip interface brief

Interface IP-Address OK? Method Status Protocol

Vlan7 1xx.xxx.xxx.126 YES NVRAM up up

Vlan14 10.2.100.254 YES manual up

#sh debugging

Generic IP:

ICMP packet debugging is on

IP NAT debugging is on

IP NAT detailed debugging is on

When I do a ping from host 10.2.100.55 to the interface vlan14 10.2.100.254, in logs appear:

#sh logging | include 2.100

Dec 14 10:14:48: ICMP: echo reply sent, src 10.2.100.254, dst 10.2.100.55

Dec 14 10:14:49: ICMP: echo reply sent, src 10.2.100.254, dst 10.2.100.55

Dec 14 10:14:50: ICMP: echo reply sent, src 10.2.100.254, dst 10.2.100.55

Dec 14 10:14:51: ICMP: echo reply sent, src 10.2.100.254, dst 10.2.100.55

But if do a ping to other ip, don't appear anything.

None entry about NAT appears in logs.

Can you help me, one more once?

Thanks in advanced

Jose

Jose

Can you post output of a "show ip route"

and also tell us what the other ip address you are trying to ping is ?

Jon

Jorge

I do "sh ip route"

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 172.16.240.1 to network 0.0.0.0

O IA 192.168.12.0/24 [110/3] via 172.16.240.1, 00:51:09, Vlan540

O 192.168.209.0/24 [110/2] via 172.16.131.4, 00:51:09, Vlan200

[110/2] via 172.16.131.3, 00:51:09, Vlan200

193.132.09.0/24 is variably subnetted, 7 subnets, 2 masks

O E2 192.168.73.96 [110/1] via 172.16.240.1, 00:51:09, Vlan540

84.0.0.0/20 is subnetted, 1 subnets

O 192.168.121.0 [110/3] via 172.16.240.1, 00:51:55, Vlan540

O 192.168.121.32 [110/3] via 172.16.240.1, 00:51:55, Vlan540

O 192.168.121.64 [110/3] via 172.16.240.1, 00:51:55, Vlan540

O 192.168.121.96 [110/3] via 172.16.240.1, 00:51:55, Vlan540

O 192.168.212.0/24 [110/2] via 172.16.131.4, 00:52:14, Vlan200

[110/2] via 172.16.131.3, 00:52:14, Vlan200

O IA 192.168.10.0/24 [110/3] via 172.16.240.1, 00:52:14, Vlan540

C 192.168.228.0/24 is directly connected, Vlan41

C 192.168.246.0/24 is directly connected, Vlan18

O E2 192.168.245.0/24 [110/20] via 172.16.131.2, 00:53:04, Vlan200

O IA 192.168.11.0/24 [110/2] via 172.16.240.1, 00:53:04, Vlan540

192.168.56.0/27 is subnetted, 2 subnets

O IA 192.168.56.0 [110/4] via 172.16.240.1, 00:53:04, Vlan540

O IA 192.168.56.32 [110/4] via 172.16.240.1, 00:53:04, Vlan540

O*E2 0.0.0.0/0 [110/1] via 172.16.240.1, 00:53:31, Vlan540

I try ping to:

ping 192.168.121.55 - Didn't ping to host and didn't appear anything in logs (this is outside from my network)

ping 192.168.246.254 - Did the ping to host and appear in logs (This is in a vlan in my router)

Thanks in advanced

Jose

Jose

You have an "ip nat outside" statement under vlan 7 but you have no routes pointing out of vlan 7.

So unless you are trying to ping an IP address on vlan 7 then NAT will not happen.

Jon

Jorge

Yes, it true.

Now I do this:

#router ospf 1

network 1xx.xxx.xx.0 0.0.0.255 area 2

#sh ip route | include Vlan7

C 1xx.xxx.xx.96/27 is directly connected, Vlan7

I ping 1xx.xxx.xx.126 and this is the replay:

Dec 14 11:10:05: ICMP: echo reply sent, src 1xx.xxx.xx.126, dst 10.2.100.55

Dec 14 11:10:06: ICMP: echo reply sent, src 1xx.xxx.xx.126, dst 10.2.100.55

Dec 14 11:10:07: ICMP: echo reply sent, src 1xx.xxx.xx.126, dst 10.2.100.55

Dec 14 11:10:08: ICMP: echo reply sent, src 1xx.xxx.xx.126, dst 10.2.100.55

But everything the remaining portion is remained equal

Thanks in advanced

Jose

Jose

It's Jon not Jorge although i'm sure Jorge will be along soon :)

Could you tell me exactly what you are trying to achieve and what is the source and destination.

If you ping a packet from vlan 14 and that packet is reachable via vlan 540 in your routing table then you will use the "ip nat outside" statement on your vlan 7 interface.

Jon

Jon,

Sorry for the Jorge .

I have a lot of PCs in vlan 14 that have internal IPs (10.2.100.0/24).

I have vlan7 that have international IPs.

What I want to do is that the PCs in vlan 14 accede to the Internet, without using a proxy.

It is therefore that I want to use the NAT.

I wait that it has perceived.

Thanks in advanced

Jose